Individuals Privacy Notice

1. Entities of the DUE group

Due Network”, “we”, “us” and “our ” means:

Due Ltd , registered in the United Kingdom (“UK”), with registered office at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, and company registration number 14369984;

Due Payments EOOD , registered in Bulgaria, with registration number 207457701 and registered office at Hubcha Street, No. 8, 2nd floor, apt. A-1, Krasno Selo, Sofia 1618, Bulgaria;

Due Network, SL, registered in Spain, with registered office at Paseo de la Castellana 91, 4th, 1st, Madrid 28046, and commercial registration number 16407272;

Due Payments Inc., registered in Canada (registration no. 1000864948), with its registered office at 80 Birmingham Street, Unit C6, Etobicoke (Ontario) M8V 3W6, Canada; and/or

Due Technologies Inc., registered in the state of Delaware (USA), with registered office at 169 Madison Avenue, Suite 11441, New York, NY 10016, USA;

Due Network Argentina SRL, registered in Argentina, with registered office at Tucumán 1, 4th floor, CP1049, Autonomous City of Buenos Aires, Argentina, and commercial registration number 2024182.

We are committed to respecting your privacy.

2. About this privacy notice

For the purposes of data protection regulations, we act as the data controller of your personal data. We are responsible for ensuring that we use your personal data in compliance with data protection law.

This privacy notice applies if you are an end user of our products and services. This privacy notice sets out the basis on which any personal data about you that you provide to us, that we believe, or that we obtain about you from other sources will be processed by us. Please take the time to read and understand this privacy notice.

This notice also covers, where applicable, prospective clients (before contracting), users who contact support, and website visitors (for processing related to website use and security). The processing of personal data through cookies and similar tracking technologies is governed separately by our Cookie Policy, which is available at https://www.opendue.com/es/legal/cookie-policy

This notice does not apply to representatives/UBOs of institutional (B2B) clients, who are governed by the Business Privacy Notice.

3. Your responsible party and roles within the group

The products and services are provided through the group's local operating entities. The entity with which you contract (according to the applicable Terms and Conditions) is your data controller for the contractual relationship.

Other entities within the group may act as independent controllers for specific processing activities (for example, due to their own regulatory obligations or for the technical provision of the service).

When two or more entities jointly determine the purposes and means of processing, they may act as joint controllers (Art. 26 GDPR). In that case, the essence of the joint controller arrangement will be made available to you and may be requested at any time from our Data Protection Officer at dpo@due.network. We will also indicate the main contact point for exercising your rights vis-à-vis the group.

4. Legal basis

We process your personal data based on the following legal grounds, as applicable:

Compliance with a legal obligation: when processing is necessary to comply with applicable legal obligations (e.g., AML/CFT obligations, record keeping, reporting to authorities and obligations imposed under MiCA).

Contract execution: when processing is necessary to execute a contract with the customer or to take pre-contractual steps at the customer's request.

Legitimate interests: when processing is based on the legitimate interests of the group (for example, fraud detection and prevention, risk management, cybersecurity), provided that such interests do not override your fundamental rights and freedoms. We can describe these interests and the result of the balancing test upon your request.

Consent: We will only process your personal data on this basis where we have expressly requested and obtained your consent for specific purposes (e.g., marketing communications). You can withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

Compliance with MiCA obligations (Art. 6(1)(c) GDPR): As a Crypto-Asset Service Provider (CASP) authorised under Regulation (EU) 2023/1114 (MiCA), we process personal data to fulfil the regulatory obligations that MiCA imposes on us, including client onboarding documentation, transaction records, wallet verification data and transparency requirements. This processing does not constitute an autonomous legal basis, but falls within Article 6(1)(c) GDPR (compliance with a legal obligation), MiCA being the sectoral regulation that gives rise to that obligation, in the same way as Law 10/2010 does in the AML/CFT context. The processing is necessary for regulatory compliance, risk management and investor protection purposes.

Where we process personal data relating to criminal convictions and offences, such processing is carried out in accordance with Article 10 GDPR and on the basis of Article 6(1)(c) GDPR (legal obligation).

This processing is strictly necessary for compliance with applicable anti-money laundering and counter-terrorist financing (AML/CFT) obligations under Law 10/2010 of 28 April, as amended by Royal Decree-Law 7/2021.

Such processing is limited to what is necessary for these purposes and includes the retention of identification documentation and transaction records for a period of 10 years, in accordance with Article 25 of Law 10/2010. When processing is based on legitimate interests, you may object at any time on grounds relating to your particular situation. In particular, you have the right to object to the processing of your personal data for direct marketing purposes at any time, with immediate effect.

5. Personal data that we collect about you

We will collect and process the following personal data about you:

Information you provide directly to us or to one of our affiliates when completing forms, going through the onboarding process or communicating with us, whether in person, by phone, email or otherwise. This information may include:

  • contact details, including postal/shipping address, billing address, email address and telephone number;
  • country of residence;
  • nationality;
  • tax residence;
  • date of birth;
  • Place of birth (used for cross-referencing the client's age against potential matches on sanctions lists, politically exposed persons (PEP) registers and adverse media searches, and as required by the Travel Rule in jurisdictions that mandate it pursuant to Regulation (EU) 2023/1113 and equivalent applicable legislation);
  • full name;
  • identity document number; 
  • identity document expiry date;
  • on-chain wallet address (wallet address);
  • open banking credentials (account details for payment initiation); and
  • photograph (selfie or identity document image);

5.1 Information we collect or generate internally about you (not provided directly by you). This includes:

  • contact details, including postal/shipping address, billing address, email address and telephone number;
  • country of residence;
  • date of birth;
  • full name;
  • identity document data; 
  • blockchain wallet address;
  • open banking credentials (account details for payment initiation);
  • photograph; and
  • Transaction data, including:
  • transaction date(s);
  • transaction amount;
  • transaction currency;
  • counterparty (i.e., client/merchant);
  • payment method; and
  • payment type (POS, online, etc.).
  • Facial biometric data/attributes extracted from selfie/video for liveness verification and face matching, and for duplicate detection (biometric search), where applicable. The processing of biometric data constitutes a special category of data under Article 9 GDPR. The applicable legal basis for this processing is Article 9(2)(g) GDPR (processing necessary for reasons of substantial public interest, specifically the prevention of money laundering and terrorist financing, as laid down in applicable AML/CFT legislation including Law 10/2010 of 28 April), in conjunction with Article 9(2)(b) GDPR where applicable (processing necessary for the performance of obligations and the exercise of rights in the field of employment and social security law), and, where applicable, Article 9 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) for processing carried out in Spain. Processing is strictly limited to what is necessary for identity verification, fraud prevention and AML/CFT compliance, and is subject to the safeguards required under applicable regulations.
  • Video identification: The recording of the video identification process, with reliable proof of its date and time, will be stored in digital format in accordance with Article 25 of Law 10/2010 for a period of ten (10) years from the termination of the business relationship or execution of the transaction.

The legal basis for video recording retention is compliance with a legal obligation under Spanish AML law (Article 25, Law 10/2010). The "consent" referenced herein relates to your acknowledgment of the recording process and its retention period, not the legal basis for processing. You may not object to this retention where required by AML regulations; however, access to these recordings is strictly limited to authorised compliance personnel, SEPBLAC, and competent judicial authorities.

This section on video identification applies exclusively to customers who complete their onboarding process with Due Network SL. Customers who sign up through other entities in the group are subject to the specific procedures and policies of the corresponding entity.

5.2 Information we obtain from other sources.

• information provided by third-party KYC/KYB to carry out background checks (e.g., for sanctions, etc.); and

• Information provided by transaction monitoring and wallet verification providers to verify that the wallet being used is secure and that the funds being used are not connected with fraudulent/criminal activity.

• Technical and security data (when you use the Website or app): We may process online identifiers (e.g., IP), access records/logs, device identifiers, and security events to prevent fraud, protect the account, and maintain operational resilience.

• Mandatory/Voluntary: Certain data (e.g., identification/KYC) is mandatory to comply with AML/CFT regulations and to provide the service. Failure to provide this data may prevent us from opening or maintaining your account or executing transactions.

• Transfer of Funds Regulation (TFR) data: In accordance with Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (TFR), we are required to collect, verify, and retain specific information relating to crypto-asset transfers, including:

  • Originator information (such as name, address, and wallet address, and additional identifiers where applicable)
  • Beneficiary information (such as name and wallet address)
  • Transaction details, including identifiers and timestamps.
  • Beneficiary address in case of Due Payments Inc. (Canada).

This data is processed to ensure the traceability of crypto-asset transfers and to comply with applicable anti-money laundering and counter-terrorist financing obligations. It may be made available to competent authorities upon request.

The processing is carried out on the basis of Article 6(1)(c) GDPR (legal obligation), in accordance with the requirements set out in the TFR.

As part of our AML/CFT and sanctions checks, we may process information related to criminal convictions or offenses. This processing is necessary for compliance with applicable law and for fulfilling our legal obligations as an obligated entity under AML legislation. Where required by local law, we rely on the specific legal grounds provided by that law to process such data. For further details, please contact dpo@due.network.

Safeguards (Art. 10 GDPR): We limit access to authorised personnel, apply access and registration controls, data minimisation and confidentiality.

6. Uses of your personal data

Your personal data may be stored and processed by us in the following ways and for the following purposes to ensure that you are eligible to use our services:

• to verify that you are who you say you are (i.e., identity verification);

• to confirm that you have sufficient funds to make the purchase; and

• to ensure that you are a "good user" and are not associated with fraud, penalties, crime, etc.

We have the right to use your personal data in these ways because:

•  We have legal and regulatory obligations that we must fulfil;

• We may need it to establish, exercise or defend our legal rights or for the purposes of legal proceedings; or

•  The use of your personal data as described is necessary for our legitimate business interests (or the legitimate interests of one or more of our affiliates) set out above.

We process your personal data for the following purposes and on the following legal bases:

Purpose Legal basis (Art. 6 GDPR) Notes
Identity verification and KYC/KYB Art. 6(1)(c) — Legal obligation AML/CFT laws and MiCA requirements; may involve third-party providers
Biometric processing (liveness, face matching) Art. 6(1)(c) + Art. 9 GDPR Used strictly for identity verification and fraud prevention
Transaction monitoring and fraud prevention Art. 6(1)(c) + Art. 6(1)(f) Legal obligation plus legitimate interest for fraud detection
Contract performance (onboarding, payments, support) Art. 6(1)(b) Necessary to deliver services
Marketing communications Art. 6(1)(a) — Consent Only with explicit consent; can be withdrawn anytime
Legal claims and regulatory responses Art. 6(1)(c) + Art. 6(1)(f) Compliance + legal defense
Operational resilience (DORA) Art. 6(1)(c) ICT incident tracking and reporting obligations
Crypto transfers (Travel Rule / TFR) Art. 6(1)(c) Required originator and beneficiary data collection

If you would like a copy of our Legitimate Interests Assessment or more details about the specific legal basis for a particular processing activity, please contact dpo@due.network. Due Network S.L. maintains a Record of Processing Activities (RoPA) in accordance with Article 30 GDPR, which sets out in detail the processing activities carried out as data controller. You may request further information about the specific processing activities that concern you by contacting the Data Protection Officer at dpo@due.network.

Brief summary of aims and bases:

– KYC/AML and sanctions: legal obligation.

– Provision of service: contract.

– Fraud/security and resilience: legal obligation and/or legitimate interest (with weighting).

– Marketing (if applicable): consent (with withdrawal/opt-out).

– Authorities/litigation: legal obligation and/or claims.

We may use automated tools to detect fraud, manage risk, and comply with AML/CFT regulations (e.g., risk scoring, rules/alerts, and automated analysis). Unless otherwise stated, these tools are used for support purposes and are subject to human review.

If in any case a decision is made based solely on automated processing that produces legal effects or significantly affects you (for example, automatic denial of registration), you will be informed, including meaningful information about the logic applied, the significance and the envisaged consequences, and you may request human intervention, express your point of view and contest the decision (Art. 22 GDPR), in accordance with applicable regulations

6.1 Profiling and automated decision-making (Art. 22 GDPR)

We use automated tools to support regulatory compliance, including:

  • Sanctions/PEP screening against global watchlists using matching algorithms;
  • Fraud detection analysing transaction patterns, geolocation, and user interaction data;
  • Risk scoring for customer onboarding based on identity verification confidence levels.

Logic: Rule-based algorithms and machine learning models trained on historical compliance data and regulatory watchlists.

Possible consequences: Account restrictions, transaction blocking, or enhanced due diligence requirements. All automated alerts are subject to human review by qualified compliance personnel before any final decision is taken.

Solely automated decisions: Where a decision producing legal effects or similarly significant effects (e.g., automatic registration rejection) is based solely on automated processing, you have the right under Article 22(3) GDPR to:

  • Obtain human intervention;
  • Express your point of view; and
  • Contest the decision.

6.2 Cryptocurrencies, wallets and blockchains

Your use of crypto assets and/or wallets may result in certain transactions being recorded on public networks (blockchains). These networks are third-party and not controlled by Due.
Consequently, certain data (e.g., public addresses, transaction hashes, and associated metadata) may be public or subject to forensic analysis by third parties, and may be immutable (cannot be modified or deleted). We recommend that you consider these implications before operating on public networks.

6.3 Security and operational resilience

We implement reasonable technical and organisational measures to protect data against loss, unauthorised access and disclosure. As part of our regulatory obligations, we may process data for incident detection, forensic investigation and notification to the relevant authorities in the event of security incidents. These activities are carried out in accordance with applicable regulations and with due regard for the protection of personal data.As an entity subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), we may also process data relating to information and communication technology (ICT) incidents, including incident logs, data concerning critical third-party ICT service providers, and information required for major incident reports under DORA (Arts. 9, 17 and 19 of the DORA Regulation). Such processing is carried out on the basis of Article 6(1)(c) GDPR (compliance with a legal obligation) and is subject to the security and proportionality measures set out in the DORA Regulation itself.

6.4 Other compatible purposes

We may process your personal data for other purposes compatible with those set out above, applying the compatibility test set out in Article 6(4) GDPR, taking into account factors such as the link between the original and new purpose, the context in which the data were collected, and the possible risks to your rights and freedoms. We will document the applicable legal basis (including Legitimate Interest Assessments where relevant). If the new purpose is incompatible with the original purpose for which your data were collected, we will proactively inform you and, where required, obtain your consent before commencing such processing.

7. Age Restrictions

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact dpo@due.network immediately and we will take steps to delete such information.

8. Disclosure of your information to third parties

We will take steps to ensure that personal data is accessed only by our employees who need to do so for the purposes described in this notice.

Your data may be disclosed, as appropriate, to the following categories of recipients:

• Public authorities and supervisory bodies (including FIUs, police authorities and tax authorities) when required by law or necessary for the prevention or detection of criminal activities.

• Compliance and KYC/KYB service providers, sanctions verification providers, and risk data providers (acting as processors).

• Banking partners, payment partners, and other financial service providers acting as data processors or joint controllers.
IT service providers, hosting, cloud, and data storage providers (acting as processors).

• External auditors, legal advisors and forensic auditors when necessary for audit or investigation purposes.

• Buyers or potential buyers of the business in the event of a sale or corporate restructuring.

• In all cases, recipients will be contractually required to process the data in accordance with this notice and not use it for any other purpose.

Clarification of roles: Some recipients (e.g., certain banking/payment partners) may act as independent controllers for their own regulatory purposes.

Processors and subcontractors

We work with service providers who act as data processors (e.g., KYC/IDV providers, banking partners, hosting services, cloud services, and verification providers). All processors are bound by contracts containing appropriate safeguards (including standard contractual clauses) and security obligations.

9. Transfers of personal data outside the European Economic Area ("EEA") and the United Kingdom

The personal data we collect from you may be transferred to and stored at a destination outside the EEA/UK. It may also be processed by staff operating outside the EEA/UK who work for our affiliates or for one of our suppliers.

Personal data is primarily hosted and processed within the EEA and the UK. However, due to the group's international structure and/or specific supplier or operational needs (e.g., support, regulatory compliance, or resilience), transfers outside the EEA/UK may occur in specific cases.

When we transfer your personal data outside the EEA/UK, we will ensure that it is protected in a manner consistent with how we protect it within the EEA/UK. The safeguards applied vary by destination jurisdiction:

• United Kingdom: recognised as an adequate destination by the European Commission (Adequacy Decisions 2021/1772 and 2021/1773). For onward transfers originating from the UK, we apply the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as appropriate;

• Argentina: recognised as an adequate country by the European Commission. We additionally apply standard contractual clauses as a supplementary measure;• Canada: benefits from a partial adequacy decision by the European Commission (private sector under PIPEDA), currently under review. For transfers to Due Payments Inc. we use Standard Contractual Clauses (SCCs) approved by the European Commission;• United States (Due Technologies Inc.): no general adequacy decision exists. Transfers are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical and organisational measures following a Transfer Impact Assessment (TIA);• Intra-group transfers: may rely on Binding Corporate Rules (BCRs) where applicable.

• Other jurisdictions: the recipient has signed a contract based on standard contractual clauses approved by the European Commission or the UK Government (as applicable), supplemented by such additional measures as are necessary following a risk assessment of the transfer.

In other circumstances, the law may allow us to transfer your personal data outside the EEA/UK. In all cases, however, we will ensure that any transfer of your personal data complies with data protection law.

You can obtain further details of the protection afforded to your personal data when transferred outside the EEA/UK (including a copy of the standard data protection clauses we have entered into with the recipients of your personal data) by contacting us in accordance with the "Contacting Us" section below.

For transfers from the EEA/UK we may use, where appropriate, the European Commission's SCCs and, for the UK, the ICO's IDTA or the UK Addendum to the SCCs, together with supplementary measures where appropriate following the risk assessment of the transfer.

10. Retention of personal data

The length of time we retain your personal data will vary. The retention period will be determined by several criteria, including:

• the purpose for which we are using it: we will need to retain the data for as long as necessary for that purpose; and

• legal obligations: laws or regulations may set a minimum period for which we must retain your personal data.

• Retention requirements may vary by jurisdiction; for example, some countries require personal data to be kept for longer periods under local law.

Indicative Retention Periods (subject to applicable legal and regulatory requirements):

  • KYC/AML records and due diligence evidence: 10 years from the termination of the business relationship or the execution of an occasional transaction, in accordance with Article 25 of Law 10/2010 on the Prevention of Money Laundering and Financing of Terrorism. This includes identification documents, video identification recordings, beneficial ownership information, risk assessments, and due diligence documentation.
  • Transactional and accounting records: retained in accordance with applicable legal obligations, including AML/CFT requirements (10 years under Law 10/2010) and commercial/accounting obligations (generally 6 years under the Spanish Commercial Code). Data will be retained for the period required under the applicable legal basis in each case. This may include transaction details, amounts, currencies, counterparties, payment methods, blockchain transaction hashes, and TFR-related data.
  • Security and anti-fraud logs: retained for a limited period based on proportionality and security needs (generally up to 2 years), unless they are required for longer periods in connection with AML investigations, suspicious activity reporting, or legal obligations.
  • Claims and litigation: retained for the duration of the applicable statute of limitations (generally 5 years under Spanish civil law, unless extended by specific regulations), and until the final resolution of the matter.

Upon expiry of the applicable retention periods, personal data will be securely deleted or irreversibly anonymised in accordance with our data retention and destruction procedures. Anonymised data may be retained for statistical or research purposes, provided that it cannot be re-identified.

11. Your rights

You have several legal rights regarding the personal data we hold about you. These rights include:

• the right to obtain information about the processing of your personal data and access to the personal data we hold about you;

• the right to withdraw your consent at any time; this will not affect the lawfulness of processing based on consent before its withdrawal nor prevent us from continuing to process data where there is another valid legal basis other than consent.

• In some circumstances, the right to receive certain personal data in a structured, commonly used, and machine-readable format and/or to request that we transmit that data to a third party where this is technically feasible. Please note that this right only applies to personal data that you have provided to us;

• the right to request that we rectify your personal data if it is inaccurate or incomplete;

• The right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances in which you request us to erase your personal data, but we have a legal right to retain it.

• the right to object and the right to request that we restrict our processing of your personal data in certain circumstances. Again, there may be circumstances in which you object or request that we restrict our processing of your personal data, but we have a legal right to continue processing your personal data and/or to reject that request; and

• the right to lodge a complaint with the data protection regulator (details of which are provided below) if you believe that any of your rights have been infringed by us.

You may exercise your data protection rights by contacting our Data Protection Officer (DPO), formally designated and registered with the Spanish Data Protection Authority (AEPD), through the following channels:

Email: dpo@due.network (recommended for a faster response)

Postal address:

Data Protection Officer

Due Network S.L.

Paseo de la Castellana 91, 4º 1ª

28046 Madrid, Spain

To help us process your request efficiently, please include your name, contact details, the right you wish to exercise, and any information that may help us identify your data.

We may request additional information to verify your identity where necessary, in accordance with Article 12(6) GDPR.

We will respond to your request without undue delay and, in any event, within one month of receipt. This period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests.

As a general rule, exercising your rights is free of charge. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, in accordance with Article 12(5) GDPR.

If you consider that your rights have not been adequately addressed, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) (www.aepd.es), C/ Jorge Juan, 6, 28001 Madrid.

You can exercise your rights by contacting us using the details set out in the "Contact Us" section below.

Further information about your rights can be obtained by contacting the data protection supervisory authority located in your jurisdiction:

In the UK, the data protection supervisory authority is the Information Commissioner's Office ("ICO").

Supervisory authority in Spain: Spanish Data Protection Agency (AEPD).

How we handle requests: We may request reasonable additional information to verify your identity and protect your data; we will respond within applicable legal timeframes.

12. Contacting us

If you would like more information about the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, please direct your questions, comments and requests to dpo@due.network.

We may update this notice periodically. When changes are material, we will notify you by reasonable means (for example, by email or a notification on the dashboard/portal, if one exists). The date of the last update appears at the beginning of the notice.